Chapter 7. Intellectual Property and Data

Manipulation or extraction of intellectual property (IP) and data is often the focus in software supply chain attacks. Intellectual property is any creation of human intellect in the form of documents, drawings, source code, designs, and more. Unintentional or intentional sharing of IP and data can ruin a company at any stage—from startup to maturity. There is no shortage of data breaches and leaks, as shown in the Nira blog article “51 Biggest Document Leaks & Data Breaches of All Time.”¹ Additionally, malicious actors are always searching for publicly exposed data and intellectual property in cloud storage infrastructure and cloud-based technologies.

Everyone is familiar with malicious actors infiltrating networks to steal data, but the risk to the software supply chain is not only when they steal information, but also when they modify or inject false information into the IP or data. Once a malicious actor infiltrates a network, they generally perform reconnaissance, which could last days, weeks, or even months. During this time, they learn about the organization and determine how to cause the most significant damage or make the most money. The intention of the malicious actor is never clear, and we must do everything we can to protect our IP and data.

To reduce the risk of IP and data loss, begin by using the infrastructure controls, such as logging and monitoring, mentioned in Chapter 4. Within this chapter I discuss the importance ...